Apple’s iOS operating system is usually considered as a secured ecosystem. Even when users and researchers find a bug inside the OS, the company is quick to fix them. However, it looks like Apple has ignored a very important bug that has existed on its default iOS Mail app for the past few months.
Security researcher, Jansoucek, recently published the attack code on Github which reportedly exploits vulnerability on Apple’s Mail app to steal user information. The attack can be used to steal important details such as the iCloud password, the location as well as identity details of the user. He had already notified of this issue to Apple back in January, but the company is yet to fix it with a patch. Even the latest version of iOS Mail App v8.3 has this vulnerability. So, he has finally published the attack code with full details on GitHub.
According to ARSTechnica, attackers can use the fact that the iOS Mail app does not remove HTML codes from incoming messages, which makes it easy for them to collect user information. For example, in a proof of concept attack, the existing HTML codes can be used to download a form which looks a lot like the iCloud login prompt from the remote server. This can be then displayed when the user opens up the mail.
Since the mail app is known to ask for login details in between, this attack may turn out to be successful. Any user who does not pay close attention to the dialog may end up sending his or her password to the attacker. It’s even possible for them to display the message just once after the mail is opened, to make it look genuine. Other kinds of information such as who opened the mail, when was it opened as well as the IP address of the user can be sent to the attacker.
However, if users are a bit cautious, they can spot a fake login dialog. For example, the login prompt in case of an attack will not be truly modal. This means that the background will not fade away and users can perform actions other than clicking the login or cancel buttons on the app. Another possible difference is that the fake prompt will ask for both, username and password, whereas the standard Apple dialog usually asks for just the password when inside the app.
Given that the code is now on GitHub, hackers can use it to create variations and exploit users. Hence, Apple should be releasing a patch for this vulnerability pretty soon.
For comments and suggestions, leave a message in the comments section below. Like and Follow our Facebook page for more stories and to stay up-to-date with the latest happenings.